LetsDefend Challenge DFIR: Memory Analysis writeup
LetsDefend Challenge DFIR: Memory Analysis
- What was the date and time when Memory from the compromised endpoint was acquired?
- What was the suspicious process running on the system? (Format : name.extension)
- Analyze and find the malicious tool running on the system by the attacker (Format name.extension)
- Which User Account was compromised? Format (DomainName/USERNAME)
- What is the compromised user password?
volatility2より,volatility3の方がインストールしやすいし使いやすいことに気付いてからはvolatility3を使っている.
Volatility - CheatSheet - HackTricks
What was the date and time when Memory from the compromised endpoint was acquired?
Answer: 2022-07-26 18:16:32
What was the suspicious process running on the system? (Format : name.extension)
SANSが公開しているWindowsの基本的なプロセスのポスターを眺めながら取り組んでいた.
Hunt Evil | SANS Poster
vol -f dump.mem windows.pslist
で表示したもの↓
"lsass.exe"が怪しい.
Answer: lsass.exe
Analyze and find the malicious tool running on the system by the attacker (Format name.extension)
怪しいlsass.exeをvol -f dump.mem windows.pslit --pid 7592 --dump
でダンプする.
出てきたファイルのハッシュを検索すると,
https://www.virustotal.com/gui/file/ac87ce8b5902643dfedf4c3c02b91d7e06743e0bc2f3f87b0a4fbdd6ad111670
Answer: winPEAS.exe
Which User Account was compromised? Format (DomainName/USERNAME)
vol3ではプロセスの環境変数を表示できる
vol -f dump.mem windows.envars --pid 7592 | grep USER
を実行
Answer: MSEDGEWIN10/CyberJunkie
What is the compromised user password?
volatility2のときは,SAMとSECURITYのアドレスを確認してから,そのアドレスをvolのコマンドに渡すことで表示していたがそれが一発でできるようになったよう.
ここで見つけたCyberJunkieのハッシュをcrackstationに投げる.
Answer: password123